Google Apps Message Authentication (DKIM & SPF)

I've been attempting to unravel technical underpinnings of an interesting message authorization effort over at DMARC.org. During this research, I noticed a couple of Google App domains under my watch that were not properly configured for email authentication (DKIM, SPF, etc). The following is a chronicle of updates and test tools used to remedy - hopefully useful.

Background

Domain Key Identified Mail (DKIM) combined with Sender Policy Framework (SPF) technologies provide facilities to explicitly associate outbound email with a domain. This mechanism can be used to reduce the chances of having your domain's email mistakenly interpreted as spam or spoof. In the long haul, it may also improve delivery rates for bona fide traffic and reduce forgery.

As I was testing Gapp domains that I watch over, I noticed that domains defined using the Google Apps Setup Wizard tested fine for DKIM and SPF while older Gapp domains failed. These domains were established before Google's DKIM feature set add in 2011. The following is the step-by-step used to update and test the non-compliant domains.

*** June 2014 Update - This page/procedure was created years ago, prior to the unveiling of the new Google Admin Console in 2013/2014. I took a quick pass thru and (hopefully) updated to match new admin navigation ***

Cautions & Considerations

The specifications and technologies involved in message authentication appear to be evolving and may not be commonly deployed, adopted or enforced in your techno ecosystem - test/test/test. There also seems to be variants (e.g. SenderID or DomainKeys) that may need to be considered to interface with specific partners.

Gapps email authorization set-up

The following step-by-step was originally recorded as I walked through the Google Apps admin control panel Setup Wizard (Setup > gmail > help prevent spoof) - updated to align with admin.google.com Admin Console:

SPF: Create a TXT record containing this text: v=spf1 include:_spf.google.com ~all
Note: "...an SPF record that uses -all instead of ~all may result in delivery problems."Google Help HERE read IT!

DKIM: Create a TXT record using the TXT record name and value saved in Step 3 aboveGoogle Help HERE read IT!

Turn on email signing using the Start Authentication button on the Authenticate Email screen of Apps Admin Control Panel (hopefully still open in tab/window from step 3 above). Google Help HEREread IT!

Repeat above steps for each email domain until all areAuthenticating email. Also remember, DNS updates may take a day or two to propagate through the net.

Testing email authorization

Due to the nature of DKIM/SPF it's a bit tricky to see if everything is working when the configuration dust settles. I found a number of (seemingly of good) online DKIM/SPF test tools and ran tests for each domain before and after implmentation. Here are a couple of my favorites - there are a quite a few more out there.